1. Overview
Since the inception of cloud computing, the number of publicly available cloud services has and will continued to increase exponentially. The rising trend of bring your own device (BYOD) expands the landscape of organizational IT (Information Technology) by enabling employees to use their personal devices and access a wealth of cloud applications to increase their productivity at work. However, wireless devices like cell phones and iPads can access cloud applications without going through the data center fire walls and pose a major exposure for the introduction of malware. While application vendors will provide patches for malware or vulnerabilities that are identified, each application that is not properly updated by the user or that is not automatically updated by the host company with security patches, represents a vulnerability to the enterprise that can be exploited by hackers.
2. Purpose
The purpose of this policy is to address the commercial app vulnerabilities that are introduced to organizations by personal mobile devices, which are not under datacenter controls. The NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity provides a systematic process for identifying, assessing, and managing cyber security risk. Under the section of this framework, which refers to Risk Mitigation (RS.MI-2), there is a NIST policy SP 800-53 Rev. 4 IR-4 that should be updated with an additional section title “IR-4 (11) Incident Handling: Mobile Device Security Updates” that addresses the need for app vendors to periodically send out automatic application updates that combat newly identified software vulnerabilities. Since mobile devices access public cloud applications outside of the control of the data center, one cannot ensure that security updates are implemented unless the application provider automatically pushes them to the device.
3. Scope
A key productivity driver of today is the use of mobile devices and the access that they grant to cloud services. Organizations are discovering that enterprise mobility can yield measurable operational and business improvements. These benefits come in the form of additional mobile assets that employees are already familiar with, thus reducing the barriers of training needed for many IT professionals to provide similar support and administration related to mobile devices. Employees use these devices for work without the organization having to spend any additional capital expenditures. This also raises employee job satisfaction by giving them the flexible working hour alternatives that they require.ii In addition, workers are using commercial apps to aid in enterprise activity. These software solutions would otherwise be unavailable, as the organizational IT department would never have the time or bandwidth to create these programs. These apps give the organization data solutions outside of their software infrastructure, thus giving the enterprise a competitive advantage. With these productivity benefits, the BYOD and commercial app landscape will continue to grow. This mobile landscape is, for the most part, a positive trend. Unfortunately, this evolving ecosystem opens up the enterprise to many new cyber security vulnerabilities. Contemporary security models and voluntary guidelines must be established to protect organizations data infrastructure.
4. Policy
Adopting no new policies for the evolving mobile and commercial app landscape would leave any organization highly vulnerable to cyber-attacks. With the growing prevalence of personal mobile devices and commercial apps, not adopting any new policy would make the question “if” the organization will be hacked, obsolete. Instead the question would be “when” the organization will be hacked. Not adapting to the evolving landscape with new cyber security policies is highly ill advised and impractical.
Furthermore it is not feasible to adapt a policy that requires no outside mobile devices and no implementation of commercial applications. It is an unfortunate reality that since the consumerization of IT, many workers now see their organizations IT department as the blocker that restricts their productivity. A strict policy that would require no outside mobile devices and no implementation of commercial applications would only further foster this internal conflict. More importantly, it would impede technological advancement of the business landscape and reduce productivity. The policing of this environment would also be difficult and would not only hinder productivity, but would probably end up costing the organization valuable resources and manpower. A well- defined and implemented mobility strategy can change this perception while still providing the overarching security framework that secures devices and commercial apps.
A potential solution for securing the mobile enterprise landscape is requiring mobile access management solutions (such as MobileIron, AirWatch, etc.) to be installed on every employee’s mobile device. These management solutions bring the devices within the controls of the datacenter, allowing for the ability to block commercial applications that have been categorized as “high-risk” or “compromised”. This policy however requires that every employee remember to check-in and download the mobile access management solution to every outside product that they have purchased.
Another potential policy solution would be for the commercial app vendor to require each individual app owner to apply the patch within a short window of time. If the patch is not applied to the individual mobile device, the app will be blocked from the user until the patch is downloaded and installed. This however could infringe upon the users tasks at hand. If the user is in the middle of a work related project and must reload the app, thereby losing all of the work, this is not an effective solution and is therefore not an efficient alternative.
When it comes to mobile landscape implementation, organizations need to consider the scalability and flexibility of their mobile platform, while being grounded by the underlying need for security. Keeping this in mind, the best security policy is for the individual public app vendor to automatically send out patches and update the application on each device. “IR-4 (11) Incident Handling: Mobile Device Security Updates” addresses the need for public cloud vendors to periodically send out automatic security updates to mobile devices to ensure that mobile devices have implemented the latest fixes or are blocked from using the application until the fix is applied. This solution recognizes and addresses the evolving mobile device and commercial landscape, while also not requiring additional access management solution software. It also gives the commercial app users the peace of mind that the work they are currently doing will not be damaged by software updates, and that they are using a secure app. App vendors that adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity will adopt this policy “IR-4 (11)” if this is added to the Risk Mitigation Section (RS.MI-2).
5. Policy Compliance
Protecting the evolving mobile and commercial app landscape requires a well-defined and implemented cyber security strategy. The NIST Cybersecurity Framework provides invaluable guidance to organizations. The Framework is a key blueprint for improving the cyber security of our Nation’s critical data infrastructure while increasing the cyber security posture of our Nation as a whole.
You must be logged in to post a comment.